Shorewall users - Feb 2006 - OpenVPN with shorewall examples - suspected typo

I''m setting up a bridged OpenVPN setup for securing wireless.  This is 
my first ever attempt to use OpenVPN, so I really don''t know what
I''m
talking about.  Looking at the example on www.shorewall.net, there is a 
sample Debian /etc/network/interfaces file that reads:

# LAN interface
auto br0
iface br0 inet static
        address 192.168.1.254
        netmask 255.255.255.0
        pre-up /usr/sbin/openvpn --mktun --dev tap0
        pre-up /sbin/ip link set tap0 up
        pre-up /sbin/ip link set eth3 up
        pre-up /usr/sbin/brctl addbr br0
        pre-up /usr/sbin/brctl addif br0 eth3
        pre-up /usr/sbin/brctl addif br0 tap0
        post-down /usr/sbin/brctl delif br0 eth3
        post-down /usr/sbin/brctl delif br0 tap0
        post-down /usr/sbin/brctl delbr br0
        post-down /usr/sbin/openvpn --rmtun --dev tap0

Later in the documentation there is a sample /etc/shorewall/interfaces 
file.  It looks like this:

#ZONE   INTERFACE       BROADCAST               OPTIONS
net     eth2            206.124.146.255 
dhcp,norfc1918,logmartians,blacklist,tcpflags,nosmurfs
loc     br0             192.168.1.255           dhcp,routeback
dmz     eth1            -                       logmartians
Wifi    eth0            192.168.3.255           dhcp,maclist
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

If I understand correctly, shouldn''t the br0 interface be bridging 
between the tap0 (OpenVPN) and eth0 (local) interfaces?  Shouldn''t the 
eth3 entries be eth0?  If not, I don''t understand what the eth3 entries
do.

-Thanks,
Russel Riley 


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

On Friday 24 February 2006 08:22, Russel wrote:
> I''m setting up a bridged OpenVPN setup for securing wireless. 
This is
> my first ever attempt to use OpenVPN, so I really don''t know what
I''m
> talking about.  Looking at the example on www.shorewall.net, there is a
> sample Debian /etc/network/interfaces file that reads:
>
> # LAN interface
> auto br0
> iface br0 inet static
>         address 192.168.1.254
>         netmask 255.255.255.0
>         pre-up /usr/sbin/openvpn --mktun --dev tap0
>         pre-up /sbin/ip link set tap0 up
>         pre-up /sbin/ip link set eth3 up
>         pre-up /usr/sbin/brctl addbr br0
>         pre-up /usr/sbin/brctl addif br0 eth3
>         pre-up /usr/sbin/brctl addif br0 tap0
>         post-down /usr/sbin/brctl delif br0 eth3
>         post-down /usr/sbin/brctl delif br0 tap0
>         post-down /usr/sbin/brctl delbr br0
>         post-down /usr/sbin/openvpn --rmtun --dev tap0
>
> Later in the documentation there is a sample /etc/shorewall/interfaces
> file.  It looks like this:
>
> #ZONE   INTERFACE       BROADCAST               OPTIONS
> net     eth2            206.124.146.255
> dhcp,norfc1918,logmartians,blacklist,tcpflags,nosmurfs
> loc     br0             192.168.1.255           dhcp,routeback
> dmz     eth1            -                       logmartians
> Wifi    eth0            192.168.3.255           dhcp,maclist
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
> If I understand correctly, shouldn''t the br0 interface be bridging
> between the tap0 (OpenVPN) and eth0 (local) interfaces?  Shouldn''t
the
> eth3 entries be eth0?  If not, I don''t understand what the eth3
entries
> do.
eth0 connects to the WAP. eth3 connects to the local interfaces. The bridge is 
bridging the local network (eth3) with tap0. eth3 has no IP configuration and 
is not mentioned in the shorewall configuration (just as tap0 is not).

HTH
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

> On Friday 24 February 2006 08:22, Russel wrote:
>> I''m setting up a bridged OpenVPN setup for securing wireless. 
This
>> is
>> my first ever attempt to use OpenVPN, so I really don''t know
what I''m
>> talking about.  Looking at the example on www.shorewall.net, there is 
>> a
>> sample Debian /etc/network/interfaces file that reads:
>>
>> # LAN interface
>> auto br0
>> iface br0 inet static
>>         address 192.168.1.254
>>         netmask 255.255.255.0
>>         pre-up /usr/sbin/openvpn --mktun --dev tap0
>>         pre-up /sbin/ip link set tap0 up
>>         pre-up /sbin/ip link set eth3 up
>>         pre-up /usr/sbin/brctl addbr br0
>>         pre-up /usr/sbin/brctl addif br0 eth3
>>         pre-up /usr/sbin/brctl addif br0 tap0
>>         post-down /usr/sbin/brctl delif br0 eth3
>>         post-down /usr/sbin/brctl delif br0 tap0
>>         post-down /usr/sbin/brctl delbr br0
>>         post-down /usr/sbin/openvpn --rmtun --dev tap0
>>
>> Later in the documentation there is a sample 
>> /etc/shorewall/interfaces
>> file.  It looks like this:
>>
>> #ZONE   INTERFACE       BROADCAST               OPTIONS
>> net     eth2            206.124.146.255
>> dhcp,norfc1918,logmartians,blacklist,tcpflags,nosmurfs
>> loc     br0             192.168.1.255           dhcp,routeback
>> dmz     eth1            -                       logmartians
>> Wifi    eth0            192.168.3.255           dhcp,maclist
>> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>>
>> If I understand correctly, shouldn''t the br0 interface be
bridging
>> between the tap0 (OpenVPN) and eth0 (local) interfaces? 
Shouldn''t
>> the
>> eth3 entries be eth0?  If not, I don''t understand what the
eth3
>> entries
>> do.
>
> eth0 connects to the WAP. eth3 connects to the local interfaces. The 
> bridge is
> bridging the local network (eth3) with tap0. eth3 has no IP 
> configuration and
> is not mentioned in the shorewall configuration (just as tap0 is not).
>
> HTH
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
That clarifies everything.  It all makes sense now.  I hadn''t even 
noticed that tap0 wasn''t mentioned in the interfaces file either.
Thanks for the reply Tom!

-Russel 


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642